The researchers at Duke, Intel Labs and Penn State University, created a tool called TaintDroid that identifies apps transmitting private data to distant locations. TaintDroid monitors how applications access and use your location, microphone, camera, phone numbers in your contact list. The tool also provides feedback once an app is newly installed, letting you know if the app is transmitting data.

"This automatic feedback gives users greater insight into what their mobile applications are doing and could help users decide whether they should consider uninstalling an app," says Peter Gilbert, a graduate student in computer science at Duke University who's working on the project. The TaintDroid program isn't publicly available yet.

The latest data supports a study published in June by mobile security company SMobile Systems that found 20 percent of the then-available 48,000 third-party applications for the Android operating system provided sensitive or private information to outside sources.

Data collection practices in apps are increasingly becoming a major privacy issue for consumers. In July, a mobile security firm called Lookout identified a free wallpaper Android app, Jackeey, that allegedly gathered data about its users, including their phone numbers, carrier subscriber identifiers and phone number of their voicemail accounts. The app then sent the information to a website based in China. The Jackeey app is estimated to have anywhere from 1 to 4 million downloads.

Other mobile phone makers have also faced similar issues. In 2009, a developer found the Palm Pre’s operating system, webOS, sent his GPS location back to the company every day. Palm was also monitoring the webOS apps he used each day and recording how long he used each one. The outcry forced Palm to change how it handles data gathered by the OS.

But as the Android Market grows rapidly–it has more than 90,000 apps–it raises questions about how well app makers handle data. Unlike the iPhone app store, apps in the Android Market don't have to be approved before they appear. Despite Google's broad guidelines, apps aren't checked or monitored to see if they follow the rules.

For instance, after installing the TaintDroid program, Gilbert got a notification that a wallpaper app on his phone sent his device's number and other identifying information to imnet.us, a website in Shenzhen, China.

Most mobile operating systems regulate how an application can access private information and force apps to ask for user permission. But when someone installs an app, it doesn't always explain what data is gathered, how often the device is polled and what the data will be used for. So users have to blindly trust app developers to do the right thing when it comes to privacy.

That's where the TaintDroid program steps in. The software marks information with an identifier called a "taint." A tracking system monitors the movement of the information with the attached taint identifier. It then sends the user a notification of the movement of information.

The researchers found that most apps shared GPS sensor location information with ad servers only when displaying ads to the user. But some apps shared location even when the user was not running the application –in some cases as frequently as every 30 seconds.

"We don’t have the data to say that a majority of third-party apps are untrustworthy," says Landon Cox, an assistant computer science professor, helped develop TaintDroid. "This study, however, is a proof-of-concept to show the value of enhancing smartphone platforms to include real-time monitoring tools like TaintDroid to give users an awareness of how their information is being shared."